SSH Server and Key Login Linux Mac Client to Windows Server
I wanted to send commands from other computers to my Windows 10 machine. Upon initial install of Windows, I logged in with my Microsoft account and was met with Permission denied, please try again.
when trying passwords
On The Client
The client refers to your personal machine that you use everyday. This is the physical laptop (etc) you use to login
Create Key
ssh-keygen -t ed25519
Output
You can just hit enter to skip over this
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\username/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\username/.ssh/id_ed25519.
Your public key has been saved in C:\Users\username/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:OIzc1yE7joL2Bzy8!gS0j8eGK7bYaH1FmF3sDuMeSj8 username@LOCAL-HOSTNAME
The key's randomart image is:
+--[ED25519 256]--+
| . |
| o |
| . + + . |
| o B * = . |
| o= B S . |
| .=B O o |
| + =+% o |
| *oo.O.E |
|+.o+=o. . |
+----[SHA256]-----+
This key will live at ~/.ssh/id_ed25519.pub
. We will use this id later
On the Server
the server refers to the remote machine that you want to control with the client. In this case making a ssh tunnel that connects your client device to the server
Install SSH Service
# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start Service
# Start the sshd service
Start-Service sshd
# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'
Back to Client
Here you can test logging into the server via password
ssh L150DDVR07
You will be prompted to enter your password and should see your terminal confirm that you are now tunneled into the Windows Server
Microsoft Windows [Version 10.0.20348.2582]
(c) Microsoft Corporation. All rights reserved.
l150\wchorski@L150D4DVR C:\Users\wchorski>
Now we can setup ssh key login so no more need for passwords.
Back on the Server
On the Windows Server desktop, open PowerShell as an administrator. You can either right click the app icon or run Start-Process powershell -Verb runAs
in a normal user launched Powershell.
Copy in Auth Key
## create auth key storage file
New-Item -Force -Path (Join-Path "C:\ProgramData\ssh" "administrators_authorized_keys")
## add in your ssh key from your client
Add-Content -Path 'C:\ProgramData\ssh\administrators_authorized_keys.txt' -Value "ssh-ed25519 A6AAC3UzaC1lZDI1NTE5AZAA3ImLyZ6YNxdiCOc8asDb7ZV1GT1ha6tEmGoctM3hU7qE USERNAME@moeits.com"
The key ssh-ed25519 A6AAC3UzaC1lZDI1NTE5AZAA3ImLyZ6YNxdiCOc8asDb7ZV1GT1ha6tEmGoctM3hU7qE USERNAME@moeits.com
is an example. Your key is the contents found in your client file ~/.ssh/id_ed25519.pub
GUI experience
If you'd like to do the above not in terminal you can open notepad.exe
.
## open notepad as administrator
Start-Process 'C:\windows\system32\notepad.exe'
Type in %programdata%/ssh
into the address bar to find hidden folder and create a file called administrators_authorized_keys
to drop your ssh key into
Notepad appends .txt
to the file so you'll need to remove it
## take off `.txt` extension
Rename-Item 'C:\ProgramData\ssh\administrators_authorized_keys.txt' 'C:\ProgramData\ssh\administrators_authorized_keys'
Set Correct Permissions
This isn't a requirement, but just in case you created the file with a user notepad this on command will set permissions to the file correctly.
This, effectively, grants Full Control privileges to the administrators_authorized_keys
file to both Administrators
and SYSTEM
.
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl
## I also had this shorter version here. Idk if it is any different
icacls 'C:\ProgramData\ssh\administrators_authorized_keys' /inheritance:r /grant "Administrators:F" /grant "System:F"
Configure SSH Service
edit with Notepad C:\ProgramData\ssh\sshd_config
Start-Process 'C:\WINDOWS\system32\notepad.exe' 'C:\ProgramData\ssh\sshd_config'
sshd_config file
Change these 3 lines
...
PubkeyAuthentication yes
...
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
...
restart ssh service in powershell
Restart-Service sshd
Example Login
# assumes you have the same username on client and server
ssh L150DDVR07
# if targeting specific user
ssh wchorski@L150DDVR07
Credits
- How to Use SSH to Remotely Connect to Windows 10 or 11 – TheITBros
- Get started with OpenSSH for Windows | Microsoft Learn
- Key-based authentication in OpenSSH for Windows | Microsoft Learn
- Windows SSH server refuses key based authentication from client - Super User
- windows 10 - Using New-Item cmdlet with Literalpath in Powershell? - Stack Overflow
- How to Use SSH to Remotely Connect to Windows 10 or 11 – TheITBros
- Running a command as Administrator using PowerShell? - Stack Overflow